What Palo Alto Networks Won’t Tell You About Its New SASE Service

Palo Alto’s recent introduction of a SASE service once again mistakes virtual appliances for a cloud-native architecture. Here’s why you should care. Shlomo Kramer, CEO, Cato Networks

istock 1129638586

Shlomo Kramer, CEO, Cato Networks

It has been a long time since I shared an office with Nir Zuk, the co-founder and CTO of Palo Alto Networks (PAN). Back in 1998, at Check Point’s office in San Francisco, it was early days for the network security company co-founded by Gil Shwed, Marius Nacht, and me. Since then, Nir launched PAN, which became a global leader in network security. I was honored to support Nir and the PAN team early in their journey.

Last week, our paths converged again. This time, we shared a vision for the future of networking and security. On the stage of PAN’s annual event, Nir presented PAN’s vision of a converged cloud-based architecture that will displace the legacy appliance stack of today. Nir did a great job advocating for the convergence of the numerous point solutions piled in IT departments everywhere.

Nir wasn’t first, though. Only a few months earlier, Gartner created a new category with essentially the same attributes and called it the Secure Access Service Edge (SASE). Prisma Access is PAN’s version of SASE. However, both PAN and Gartner have been late adopters of the “convergence” story.

Five years ago, Gur Shatz and I co-founded Cato Networks with the goal of delivering the converged, cloud-native architecture for networking and security described by Gartner with SASE. We had no “appliance baggage” nor a commitment to legacy revenue streams and dated business models. We went ahead and built the right platform for customers that had started to undergo a digital transformation.

Our approach faced skepticism and disbelief. Some thought creating a software-defined network with a built-in network security stack was “ambitious” (code for “impossible”). Customers couldn’t believe a solution like Cato’s could ever exist (code for “too good to be true”).

What a real SASE platform entails

The fact is, building a real SASE platform is very hard to do because there are no shortcuts. Creating cloud-based points of presence (PoPs) by putting virtual appliances in them, and then adding other acquired point solutions, is barely aligned with the SASE vision. Gartner warned customers of an impending marketing war where vendors will try to position virtual machines, and re-packaging of legacy technologies, as “SASE.” In short, you can't build a Netflix with a stack of DVD players.

SASE is about creating a ubiquitous, resilient, and agile secure network service—globally. This means that the SASE platform can serve all business users everywhere and that customers don’t have to be aware of the inner working of the service itself. Simply put, customers should be isolated from the locations, capacities, capabilities, and service continuity considerations of the service. In PAN’s world, customers still think “my cloud-based appliances,” still think “user allocation to appliances in specific locations,” and still think “how the failover will work.” This isn't SASE, this is someone else’s appliance stuck in the cloud.

PAN also launched SD-WAN within the edge firewalls. They spent very little time on it, basically boiling it down to a few missing features in the firewalls that would now become SD-WAN devices too. This is a gross underestimation of the importance of the network to customers. While listed as a single requirement of the SASE architecture, SD-WAN provides multiple critical access capabilities to the cloud-native security stack. It is the role of SD-WAN to ensure, with its edge and cloud capabilities, that voice calls are clear and stable, that remote desktops exhibit no latency, and that all network flows are optimized, globally, end-to-end. And that the service isn't affected by infrastructure glitches. Unlike what is available with many network security products, there is no “fail open” mode for the network itself.

I would like to welcome Nir and PAN to what is a converged reality—today. Cato now has hundreds of customers and thousands of locations that rely on the Cato Cloud to deliver a global optimized network converged with a wide range of security capabilities.

SASE is a very simple concept at its core. But to truly deliver this secure network of the future requires a deep rethinking of existing architectures and, more specifically, the necessity to walk away from the appliance-centric model that was so successful for the past 15 years. Cato Networks will stay the course of evolving the only true SASE platform available today. In the battle of architectures, cloud-native vs. appliances, there can only be one clear winner.